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September 10, 2020 


Emily W. Murphy 

Administrator 

General Services Administration 
1800 F Street Northwest 
Washington, DC 20006 


Via Regulations.gov 


Re: FAR Case #FAR-2019-0009: Prohibition on Contracting with Entities Using 
Certain Telecommunications and Video Surveillance Services or Equipment 


Dear Ms. Murphy: 


BSA | The Software Alliance! appreciates the opportunity to provide comments on the Interim 
Rule amending the Federal Acquisition Regulation (FAR) to implement section 889(a)(1)(B) 
of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 
(P. L. 115-232) [henceforth, the Interim Rule].? BSA is the leading advocate for the global 
software industry before governments and in the international marketplace. Software powers 
technologies that enhance our personal lives and businesses in every sector, and BSA’s 
members are at the forefront of software-enabled innovation, including the Internet of Things, 
blockchain, and artificial intelligence (Al). Moreover, BSA’s members are pioneers in the field 
of software security and supply chain security, and have deep experience evaluating and 
mitigating risks posed by vulnerabilities in transnational supply chains. 


The real-world, practical implications of the Interim Rule as currently written could prohibit 
US businesses from doing business overseas because basic communications services may 
include covered technologies. BSA therefore respectfully requests the Interim Rule be stayed 
while these practical considerations are discussed. 


I. Introduction 


BSA and its members engaged with Congress as it first considered the provisions of P.L. 115- 
232 that are the subject of the Interim Rule. At the time, BSA raised concerns that the draft 
provisions could prove unnecessarily disruptive to responsible industry members providing 
trustworthy products and services to the United States Government, even while recognizing 
the concerns that prompted the legislation: namely, that certain equipment and services 
provided by Huawei Technologies Company, ZTE Corporation, Hytera Communications 
Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology 





1 BSA’s members include: Adobe, Akamai, Apple, Autodesk, Bentley Systems, Box, Cadence, 
CNC/Mastercam, DataStax, DocuSign, IBM, Informatica, MathWorks, Microsoft, Okta, Oracle, PTC, 
Salesforce, Siemens PLM Software, Slack, Splunk, Symantec, Trend Micro, Trimble Solutions 
Corporation, Twilio, and Workday. 


2 https://www.govinfo.gov/content/pkg/FR-2020-07-14/pdf/2020-15293. pdf 
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Company (including their subsidiaries and affiliates) may introduce unacceptable supply 
chain risks due to nation-state actors’ access to and potential exploitation of those equipment 
and services. While the legislation constrains the Administration’s flexibility in addressing 
this threat, BSA is concerned that the Interim Rule exacerbates the potential disruptive impact 
of the legislation on responsible providers because it lacks specificity on several key terms. 


BSA's specific concerns are discussed in the section below. Because of the confusion 
surrounding these terms and their effect on implementation of the Interim Rule, and because 
of the broad scope of the Interim Rule’s application, BSA strongly believes that the 
Administration should initiate a temporary pause of the Interim Rule’s implementation to allow 
for definitional questions and associated practical consequences to be fully evaluated and 
addressed. 


ll. Definitional Concerns 


The scope of the Interim Rule’s application is guided by definitions of two key terms: “entity” 
and “use.” In addition, the Interim Rule defines a new concept, “reasonable inquiry,” to guide 
companies’ evaluation of whether the rule applies to their products or services. BSA provides 
comments on each of these terms below. 


a. Definition of “use” and related terms. 


The Interim Rule is established to prohibit the use of covered telecommunications equipment 
or services. Critical to understanding the application of this rule is the definition of “use”; 
unfortunately, the rule leaves significant ambiguity around what is meant by “use.” In fact, 
the rule does not include a definition for “use,” instead simply repeating the requirement in 
P.L. 115-232 that agencies are prohibited from entering into, extending, or renewing a 
contract with an entity that “uses any equipment, system, or service that uses covered 
telecommunications equipment or services as a substantial or essential component of any 
system, or as critical technology as part of any system.” Notably, other terms in this 
statement remain undefined as well, including how broadly “any system” should be 
interpreted. 


One interpretation of “use” in this context could be as broad as banning the use of broadband 
service providers at facilities in third countries, even where no viable alternatives exist. The 
upshot of this lack of definitional clarity is that companies will be forced to make subjective 
judgments about the extent to which the Interim Rule’s use prohibition may apply to aspects 
of their business, with the risk that businesses could be removed from federal acquisitions if 
an agency disagrees with their judgment. Such a subjective process creates confusion and 
opens opportunities for inconsistent or biased enforcement. Moreover, its potential over- 
broad application could shut many businesses out of the federal acquisition process without 
regard for any justifiable supply chain risk. 


The Interim Rule does state that the prohibition on use applies “regardless of whether that 
usage is in performance of work under a Federal contract.” As such, the prohibition covers 
even commercial activities that have no connection to the entity’s performance of a federal 
contract. This extension of the prohibition raises troubling concerns that the Interim Rule’s 
scope extends beyond the stated purpose of “protecting the homeland from the impact of 
Federal contractors using covered telecommunications equipment or services that present a 
national security concern.” 


It is essential that any final rule address the ambiguities around the definition of “use” and its 
application in defining the rule’s scope. “Use” should be clearly defined, and defined in a 
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way that is limited to activities that specifically introduce a risk to Federal supply chains. For 
example, commercial activities unrelated to the performance of federal contracts should be 
excluded, and the prohibition should explicitly exclude companies use of telecommunications 
services supported by telecommunications infrastructure that may include covered 
technologies where viable alternatives do not exist. (For example, if a production facility 
based in a third country obtains broadband services from an entity using covered 
technologies and no other broadband service providers are available, such use should not 
be covered by the prohibition). 


b. Definition of “entity.” 


The term “entity” is used to define the parties to which the general prohibition on “use” of 
covered telecommunications equipment will apply. Under the Interim Rule, this prohibition is 
applied only to prime contractors with which an agency of the United States Government 
“enters into a contract.” Because an agency does not “enter into a contract” with 
subcontractors, subsidiaries, affiliates, or similarly related organizations, the prohibition does 
not flow down to those organizations. The Federal Register Notice solicits feedback on the 
potential expansion of this definition to cover such related entities. 


BSA strongly recommends that any final rule avoid extending the scope of covered entities 
beyond application directly and exclusively to the contracting party. Affiliates, subsidiaries, 
subcontractors, and other related organizations should not be covered by the rule’s 
prohibitions, for two reasons. Most importantly, expanding the scope of the definition would 
create implementation hurdles for contracting parties that could prove impossible to 
overcome. Contracting parties are in no position to police the potential use of any equipment 
or service that may contain a component comprising covered telecommunications equipment 
in any aspect of a related entity’s organization or business — such a task would, in many 
cases, prove simply impossible. Asking contracting parties to be responsible for enforcing 
the prohibition across other related organizations may cause them to incur liability for actions 
by those organizations that the contracting party has no reasonable ability to direct or 
prevent. Second, the use of covered telecommunications equipment by subsidiaries, 
affiliates, subcontractors, and other related organizations covers a broad scope of activities, 
much of which may be irrelevant to mitigating risk to U.S. government supply chains. Any 
final rule should be squarely focused on mitigating risk to U.S. government supply chains; 
straying from this objective could create the appearance of protectionism or inappropriate 
punitive action. Focusing on contracting parties offers the best approach to address risk to 
U.S. government supply chains without rendering implementation impractical or creating 
unintended consequences to government and industry. 


c. Definition of “reasonable inquiry.” 


BSA appreciates the Interim Rule’s introduction of the concept of a “reasonable inquiry” into 
whether a company uses covered technologies. The concept has the potential to help 
businesses avoid turning to lengthy and cost-prohibitive audit processes to demonstrate 
compliance with the Interim Rule’s use prohibition. Any final rule should retain this concept 
in some form. 


Currently, “reasonable inquiry” is defined as “an inquiry designed to uncover any information 
in the entity's possession about the identity of the producer or provider of covered 
telecommunications equipment or services used by the entity that excludes the need to 
include an internal or third-party audit.” This definition does include ambiguous phrases that 
could create implementation challenges. For example, the phrase “any information in the 
entity's possession” suggests a comprehensive set of publicly and privately available 
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information, beyond the preambular suggestion that “primarily documentation or other 
records” is intended. In addition, the terms “producer” and “provider” are undefined. The 
definition could be improved in any final rule by addressing these phrases; perhaps more 
importantly, the Interim Rule may be improved by establishing a clear standard for supply 
chain diligence, ideally aligned with internationally recognized standards in this area. 


lll. Practical Considerations 


Implementation of the Interim Rule and of key concepts that may be retained in a final rule 
could pose significant practical challenges. 


First, as noted above, ambiguity around the definition of “use”, paired with the broad scope 
of the Interim Rule’s application (e.g., to commercial activities not associated with the 
performance of Federal contracts), could make it nearly impossible for businesses with 
multinational operations to comply with the use prohibition. In many countries around the 
world, national telecommunications infrastructures and/or major telecommunications service 
providers use infrastructure that may include components comprising covered technologies. 
In some instances, it may be impractical for businesses to even determine whether such 
infrastructures include covered technologies. 


As currently written, the Interim Rule appears ambiguous regarding whether a business 
obtaining basic telecommunications services necessary to maintain operations in a third 
country (e.g., broadband service) would violate the use prohibition simply based on use of 
such services, despite the fact that there may be no viable alternative. If the prohibition were 
to apply in such circumstances, it could dramatically impair the ability of U.S. industry to do 
business overseas, undermining U.S. economic competitiveness. 


One possible tool that could be useful in addressing such circumstances is the waiver 
authority provided for in the original legislation. However, the Interim Rule limits the practical 
potential of such waivers. Entities may request only a one-time, two-year waiver to continue 
use of covered equipment; alternatively, the Director of National Intelligence may issue a 
waiver if such a waiver is determined to advance national security interests. Neither waiver 
provides a sustainable solution to the scenario presented above. A final rule should expand 
the circumstances in which a waiver can be granted. 


In addition to limiting the waiver authority provided for in the original legislation, the Interim 
Rule also appears to limit the scope of the rule of construction in Section 889(a)(2)(B) of the 
original legislation. That rule of construction would exclude from the law’s use prohibition 
“telecommunications equipment that cannot route or redirect user data traffic or permit 
visibility into any user data or packets that such equipment transmits or otherwise handles.” 
The Interim Rule interprets this provision to exclude the provision of such equipment, but 
does not cover the use of such equipment. Businesses using services that depend on such 
equipment could thus be impacted by the use prohibition, and we believe this outcome would 
be contrary to Congress’s intent. The Interim Rule (FAR 52.204-25(c)(2)) should be 
amended as follows to include use of such equipment in the stated exceptions: 


“(c) Exceptions. This clause does not prohibit contractors from-prewiding— 


“(1) Providing a A-service that connects to the facilities of a third-party, such as 
backhaul, roaming, or interconnection arrangements; or 
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“(2) Providing or using telecommunications Felecemmunications—equipment that 
cannot route or redirect user data traffic or permit visibility into any user data or 
packets that such equipment transmits or otherwise handles.” 


Conclusion 


The passage of Section 889 in P.L. 115-232 left the Administration with significant 
implementation challenges, and many of these challenges appear within the Interim Rule 
drafted by the Administration. Accurately identifying and mitigating risk throughout Federal 
supply chains posed by the covered technologies is a complex endeavor, and great care 
must be taken to prevent unnecessary disruption of contractor operations, to avoid 
undermining U.S. economic competitiveness, and to tightly confine the scope of coverage to 
activities directly impacting Federal supply chains. Unfortunately, the Interim Rule does not 
achieve these three priorities. 


To be both practically feasible and conceptually sound, further guidance is needed to define 
and tailor the policy’s scope, provide tools — such as waivers — for addressing the diversity 
of circumstances in which U.S. government contractors operate, and clarify key definitions 
shaping the policy’s application. These are not quick and easy fixes. As such, BSA believes 
the Administration should initiate a temporary pause of the Interim Rule’s implementation to 
allow for definitional questions and associated practical consequences to be fully evaluated 
and addressed. Such a pause would allow for multi-stakeholder engagement to gain a better 
understanding of many of the questions included in the Federal Register Notice, such as the 
extent U.S. industry will be impacted by the use prohibition, the cost to industry of 
compliance, and how to address cases in which compliance is infeasible and alternatives are 
unavailable — questions which rightly should be answered before the policy takes effect. 


Moreover, such a pause would allow the Administration to consider options for phasing in 
implementation in ways that enable businesses to identify alternatives and make smart 
choices that benefit federal supply chain security without undermining economic 
competitiveness. Phasing in the policy could entail different compliance deadlines for 
different uses of covered technologies; for example, distinguishing products manufactured 
for government use that include components composed of covered technologies from cases 
in which entities use covered technologies in services that do not impact the delivery of their 
equipment or service to the United States Government. 


Without an implementation pause, there is a significant risk that the Interim Rule could 
unintentionally compromise the ability of American companies to compete around the world, 
while prompting reciprocal punitive actions targeting U.S. industry by foreign governments. 
BSA and its members are eager to work with the Administration to avoid this outcome. 


We are grateful for the opportunity to provide comments on this important policy, and look 
forward to working with the Administration as its work in this area continues. 


Sincerely, 


Tommy Ross 
Senior Director, Policy 
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